Telegram malware scams have risen 2000% in the last 2 months: Scam Sniffer

Web3 anti-scam platform ScamSniffer has reported a sizable increase in malware scams on Telegram’s social messaging platform. According to the firm, Telegram group malware scams increased by 2000% between November 2024 and January 2025.

This new form of attack started gaining prominence in late 2024 and continues to grow alarmingly. With this tactic, bad actors use fake groups and verification bots to distribute malware that can access users’ devices and steal their assets.

These fraudulent groups, usually advertised as exclusive alpha, airdrop, or trading groups, lure users to execute malicious code or install fake verification software to join the channel. Once executed, these codes and software allow the bad actors full access to users’ devices, where they can collect sensitive information to steal users’ assets.

Scam Sniffer wrote:

“Once you execute their code or install their “verification” software, they can access your passwords, scan for wallet files, monitor your clipboard, and steal browser data.”

While it is hard to determine how much has been lost to this new attack vector, Scam Sniffer noted the increase in the number of such scams, which suggests that it is working.

Malware attacks come in multiple variants 

Telegram malware scams have several variants that muddle up the waters for users. In one variant, the attackers ask users to input their phone number and login code for verification instead of executing any code or installing software. However, the phone number and login code give them access to the users’ Telegram accounts and allow them to take control.

Beyond using Telegram, the attackers also execute the same tactic using fake Cloudflare verification pages that deploy malicious code to the clipboard. The fake page usually contains a prompt asking for extra verification and requesting a user to run the Windows + R command. If successful, the malware becomes part of the device and is added to Windows startups.

With these bad actors using several variants of the same scam, security experts have called on users to be more cautious about what links they click and the software they install. Scam Sniffer noted that most of this malware usually contains invites promising users they do not need to sign anything or connect their wallet, while some also ask users to join groups for real-time updates.

The firm identified some fake bots that scammers use, including OfficialSafeguardRobot,  SafeguardsAuthenticationBot, and safeguardoff_bot. All these bots have naming similarities with real verification bots, with subtle misspellings and changes to mislead users.

Given that the full scope and impact of these new scam tactics remain unknown, experts noted that the best protection is for users to never run an unknown command, install unverified software, or use clip-based verification. As Scam Sniffer observed, no genuine crypto project requires users to run a code before they can join a group.

Shift to Telegram malware due to users’ awareness of phishing 

Scam Sniffer claims that bad actors adopted these new tactics because users are now more aware of traditional phishing tactics. Although phishing continues to result in significant losses, with almost $500 million lost in 2024, the security firm noted that regular phishing incidents have remained stable over the past two months.

Beyond their novelty, Telegram malware scams have a more devastating impact. This malware gives attackers more access to users’ devices, enabling them to hack multiple wallets and wreak more havoc using the sensitive information they glean from victims’ devices.

Interestingly, hackers are not just impersonating crypto influencers to market their fake groups. They are also using fake pages of legitimate crypto projects to target communities and invite them to join groups. Scam Sniffer identified invites for fake Telegram Groups attributed to projects such as Scoutly, Fridon AI, Build, and Hiero.

From Zero to Web3 Pro: Your 90-Day Career Launch Plan